The disruptions that affected all industries in 2020 will forever reshape the financial services industry. With such changes come regulatory and public policy challenges and concerns, which in 2021 will begin to inform the future, altering our view of the course to take.
Here, from the KPMG report Ten key regulatory challenges of 2021, we share insights related to core risk management.
The role of core risk management continues to evolve as financial services companies balance key priorities including increasing risk efficiency, modernizing technology, enhancing effectiveness, and building programs that are scalable and resilient all while maintaining regulatory compliance. Additionally, core risk management is under increasing regulatory focus which can result in severe, and potentially public, action including significant financial penalties if thematic, pervasive, or systemic risk issues are identified and categorized as inadequate risk management. Timely adoption and implementation of actions to correct identified risk issues is a key component of heightened regulatory attention to risk management.
Common challenges include:
Demonstrating risk management effectiveness and adequate oversight over the control environment. With the rapid pace of change at financial institutions, risks are continually evolving and the control environment is constantly changing. In an ecosystem where systems, processes and people change regularly, organizations can struggle with knowing, monitoring, and appropriately addressing risk. This can present challenges when articulating the effectiveness of the control environment. Furthermore, examiners are focused on the effectiveness of testing programs including methodology, testing techniques, coverage, and frequency in addition to clearly defined testing roles across the three lines of defense.
Maintaining or enhancing effectiveness while undertaking cost reduction and efficiency initiative. As financial institutions explore efficiency levers including alternative sourcing strategies, consolidation of redundant risk functions and/or methodologies, rationalization of foundational risk data, integration of technology and automation use, and other risk-based scoping approaches to improve efficiency ratios, they must be careful to maintain the quality of risk outputs and identify and address any degradation of risk management effectiveness.
Establishing risk frameworks that are adaptable, are resilient and address areas of emerging regulatory focus.The adaptability and resilience of core risk management frameworks are under increased regulatory focus as firms manage through alternative/new business operating models and unexpected or severe events even as they also prepare for strategic growth through acquisition, the launch of new products and services, and integration of new or evolving regulatory expectations. (Regulatory expectations related to operational resiliency and cybersecurity continue to evolve and are further explored in the Operational Resiliency and Cybersecurity section of the report below.)
Moving to data driven assessments. Financial services firms are increasingly aware of the limitations of classical, judgement-based risk measurement and management approaches. Collectively, firms are looking to the power of data to augment their capabilities, strengthen risk management protocols, and drive business value through better risk analytics. However, many institutions have found that a significant data uplift and cleanse is required to enhance the quality of data and inputs prior to implementing these data driven techniques in addition to evaluating and potentially supplementing the data quality controls to maintain assessment inputs.
Increasing complexity. Large organizations have highly complex data and technology ecosystems that give rise to systemic risks and exploitable vulnerabilities. Once triggered, these risks can have runaway effect, with multiple, severe consequences. Furthermore, to meet enterprise level goals, organizations are using new innovative solutions and disruptive technologies but may lack adequate technology risk management processes, which can introduce new risks and business disruptions.
- Demonstrating risk management effectiveness, not simply remediation activities
- Focusing on an integrated risk management approach across material risk types and lineage of risk data, outputs, and reporting
- Balancing cost take out initiatives while still delivering core risk management requirements
- Performing adequate monitoring, governance, and supervision over the internal control environment
- Seeing examiner focus on conduct, operational resilience, and product lifecycle risk management
- Scaling core risk management activities to keep pace with growth, acquisition, or changing external conditions
- Evolving regulatory expectations for strong core risk management practices
- Moving to data driven and quantitatively supported risk and control assessments
- Enhancing management and board reporting to increase transparency and risk data consumption
8 actions to take
- Evaluate existing core risk management activities, framework, and coverage for effectiveness and potential redundancies.
- Identify and evaluate the intended or unintended outcomes, cost reduction and efficiency initiatives to ensure regulatory obligations are met or exceeded.
- Evaluate existing risk frameworks for scalability to support firm strategy and growth objectives.
- Review recent changes to business operating models to ensure new or elevated risks are adequately accounted for in risk inventories/profile.
- Evaluate existing internal control environment approaches, scope, coverage, and responsibilities and strengthen, as appropriate, any gaps, potential exposures, or escalation issues.
- Enable data interoperability. Data and technology target state should enable the sharing/linkage of risk data across key risk categories, support aggregation of data, eliminate redundancies or overlaps in source systems, and provide a single source of truth for reporting purposes.
- Review, inventory, and cleanse (as needed) existing data and quality of data to support data driven assessments.
- Integrate technology risk management capabilities with broader risk strategy and align with enterprise and operational risk priorities that are supported through the use of technology, data, and skilled technology risk professionals.